Defcon 2015 Coding Skillz 1 Writeup

Just connecting to the service, a 64bit cpu registers dump is received, and so does several binary code as you can see:

The registers represent an initial cpu state, and we have to reply with the registers result of the binary code execution. This must be automated becouse of the 10 seconds server socket timeout.

The exploit is quite simple, we have to set the cpu registers to this values, execute the code and get resulting registers.

In python we created two structures for the initial state and the ending state.

cpuRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}
finalRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}

We inject at the beginning several movs for setting the initial state:

for r in cpuRegs.keys():

    code.append('mov %s, %s' % (r, cpuRegs[r]))

The 64bit compilation of the movs and the binary code, but changing the last ret instruction by a sigtrap "int 3"

We compile with nasm in this way:

os.popen('nasm -f elf64 code.asm')

os.popen('ld -o code code.o ')

And use GDB to execute the code until the sigtrap, and then get the registers

fd = os.popen("gdb code -ex 'r' -ex 'i r' -ex 'quit'",'r')

for l in fd.readlines():

    for x in finalRegs.keys():

           ...

We just parse the registers and send the to the server in the same format, and got the key.

The code:

from libcookie import *

from asm import *

import os

import sys

host = 'catwestern_631d7907670909fc4df2defc13f2057c.quals.shallweplayaga.me'

port = 9999

cpuRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}

finalRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}

fregs = 15

s = Sock(TCP)

s.timeout = 999

s.connect(host,port)

data = s.readUntil('bytes:')

#data = s.read(sz)

#data = s.readAll()

sz = 0

for r in data.split('\n'):

    for rk in cpuRegs.keys():

        if r.startswith(rk):

            cpuRegs[rk] = r.split('=')[1]

    if 'bytes' in r:

        sz = int(r.split(' ')[3])

binary = data[-sz:]

code = []

print '[',binary,']'

print 'given size:',sz,'bin size:',len(binary)        

print cpuRegs

for r in cpuRegs.keys():

    code.append('mov %s, %s' % (r, cpuRegs[r]))

#print code

fd = open('code.asm','w')

fd.write('\n'.join(code)+'\n')

fd.close()

Capstone().dump('x86','64',binary,'code.asm')

print 'Compilando ...'

os.popen('nasm -f elf64 code.asm')

os.popen('ld -o code code.o ')

print 'Ejecutando ...'

fd = os.popen("gdb code -ex 'r' -ex 'i r' -ex 'quit'",'r')

for l in fd.readlines():

    for x in finalRegs.keys():

        if x in l:

            l = l.replace('\t',' ')

            try:

                i = 12

                spl = l.split(' ')

                if spl[i] == '':

                    i+=1

                print 'reg: ',x

                finalRegs[x] = l.split(' ')[i].split('\t')[0]

            except:

                print 'err: '+l

            fregs -= 1

            if fregs == 0:

                #print 'sending regs ...'

                #print finalRegs

                

                buff = []

                for k in finalRegs.keys():

                    buff.append('%s=%s' % (k,finalRegs[k]))

                print '\n'.join(buff)+'\n'

                print s.readAll()

                s.write('\n'.join(buff)+'\n\n\n')

                print 'waiting flag ....'

                print s.readAll()

                print '----- yeah? -----'

                s.close()

                

fd.close()

s.close()

Read more

1. Hacking Tools Mac
2. Github Hacking Tools
3. Hack Tools For Pc
4. Pentest Tools Website Vulnerability
5. Beginner Hacker Tools
6. Best Hacking Tools 2019
7. Pentest Tools Bluekeep
8. Hack Website Online Tool
9. Pentest Recon Tools
10. How To Make Hacking Tools
11. Pentest Tools Port Scanner
12. Hacking Tools For Windows
13. Pentest Tools Review
14. Beginner Hacker Tools
15. Tools Used For Hacking
16. Hacking Tools 2019
17. Hacking Tools Github
18. Pentest Tools Tcp Port Scanner
19. Hack Tools Download
20. Hacking Tools Software
21. Pentest Tools Nmap
22. Pentest Tools Website Vulnerability
23. Best Hacking Tools 2020
24. How To Install Pentest Tools In Ubuntu
25. Hacking Tools For Windows Free Download
26. Hacking Tools For Mac
27. Hacker Tools Software
28. Pentest Reporting Tools
29. Hacking Tools Mac
30. Hack Tools For Mac
31. Hack Tools For Games
32. Pentest Tools Download
33. Hack Tools For Windows
34. Nsa Hack Tools Download
35. Install Pentest Tools Ubuntu
36. Hacker Tools Github
37. How To Make Hacking Tools
38. Hack Tools Online
39. Hacker Tools For Pc
40. New Hacker Tools
41. Black Hat Hacker Tools
42. Hacking Tools For Windows
43. Usb Pentest Tools
44. How To Make Hacking Tools
45. Hacking Tools Download
46. Hacking Tools Kit
47. Best Pentesting Tools 2018
48. Nsa Hack Tools
49. Hacking Tools Kit
50. Hack Tools
51. Hacker Techniques Tools And Incident Handling
52. Hack Tools
53. Android Hack Tools Github
54. Nsa Hack Tools
55. Hack Tools Pc
56. Hacking Tools For Kali Linux
57. Pentest Tools Website
58. Best Pentesting Tools 2018
59. Hack Tools For Ubuntu
60. Free Pentest Tools For Windows
61. Pentest Tools Website Vulnerability
62. Pentest Tools Linux
63. Hacker Tools 2019
64. Free Pentest Tools For Windows
65. Hacker Tools Apk
66. Pentest Tools Open Source
67. How To Hack
68. Pentest Tools Subdomain
69. Pentest Tools Website
70. Underground Hacker Sites
71. Hacker Tools Windows
72. Pentest Tools List